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Target Safety Integrity Level (SIL) of a SIF 


¢ The target SIL of the SIF is critical to the SRS 
= To ensure the design is appropriate to the risk contribution required to 
prevent the hazard from occurring 


¢ IEC 61511-3 provides guidance on determination methodologies 
* CCPS also offers guidance on the LOPA method 


¢ These methods can be quantitative, semi quantitative or 
qualitative methods 
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Determine SIL for each SIS function SIS Safety Requirements Specification =o 


SIS Design and / Engineering 


"Bart 3 of IEC 61511 
Gu uidarice a the determination of required SILs 


Annex A Annex B 
ALARP concepts | | Semi quantitative 


Annex C 


Safety layer matrix g 
or Annex D Annex E ..-) 
i Risk graph Risk graph |= — — — — = a 
Ta Semi qualitative | |. qualitative 
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SIL Determination by Risk Graph 
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The Risk Graph Assessment Team 


* Competent, Experienced team with relevant site experience and 
knowledge of the process to be assessed 


¢ Based on the Process to be assessed the team should include: 
Independent Facilitator & Scribe (Could be Process Safety Engineer) 
Process design experience 

Operations experience 

Maintenance experience & equipment knowledge 

Safety representative 

Control & Instrument representative 

Other specialists as required (Electrical, Mechanical, Equipment vendor) 
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Risk Graph 


« Determination Tool Based on Calibrated Risk Parameters (IEC 61511-3): 
= Demand Rate (W) 
= Consequence (C) 
= Occupancy (F) 
= Probability of Avoidance (P) 
= Mandatory to consider Personal Safety and Environment consequences 
= Optional to consider Asset consequences / business needs 
= Now considered a screening tool for significant risk SIFs 
= Tend to be conservative 
= Can be Qualitative or Semi Quantitative 
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Risk graph: general scheme 


Starting point 
for risk reduction - 
estimation 


Generalized arrangement = * 
(in practical implementations | 
the arrangement is specific to; 
the applications to be covered = 

by the risk graph) 


--- = No safety requirements 


C = Consequence parameter 


F = Exposure time parameter a =No special safety requirements 
P = Probability of avoiding the hazardous event b =Asingle E/E/PES is not sufficient 
W = Demand rate assuming no protection 1, 2, 3, 4 = Safety integrity level 
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Personal Safety Risk Graph 


¢ Based on the IEC61511-3 Methodology (Also guidance in IEC 61508-5, Annex D) 
¢ Calibrated in terms of potential loss of life 
¢ All four risk parameters (W, C, F, P) considered: 

= The Frequency of Demand with no SIS installed 


= Consequences in terms of fatalities or serious injury with no SIS installed 


= Personal exposure to the hazard in terms of occupancy 
= Duration is normally assessed as less than 10% or more than 10% of working time 


Probability of Avoidance 
= Avoidance factors such as SIS failure alarm, manual shutdown & evacuation 
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Risk graph: Semi Quantitative Parameters 


Parameter Range of values 


Consequence: C Ca = Minor injury 
Number of Fatalities Guidance as follows: 


Cg = Range 0.01 to < 0.1 


Multiply no of people present when area is 
occupied by vulnerability. 
Vulnerability factors guide: Cc = Range 0.1 to < 1.0 


Vv =0.01 small release of flammable or toxic Cp = Range > 1.0 
material 
V = 0.1 Large release 


V = 0.5 As above but high probability of fire or 
highly toxic 


V = 1 Rupture or explosion. 
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Risk graph: Semi Quantitative Parameters 


Parameter Range of Values 


Occupancy (F) Fa= Rare to more often exposure in the hazardous 
This is calculated by determining the length of time zone. Occupancy less than 0.1 

the area exposed to the hazard is occupied during a Fg = Frequent to permanent exposure in the 
normal working period hazardous zone. 


Pa = Possible to avoid 
Should only be selected if all the following are true: 


Avoidance (P) Facilities are provided to alert the operator that the 
Possibility of avoiding the hazardous event if the SIS has failed 

protection system fails to operate. Independent facilities are provided to shut down such 
that the hazard can be avoided or which enable all 
persons to escape to safe area 

The time between the operator being alerted and a 
hazardous event occurring exceeds 1 hour 


Pg = Not possible to avoid. Applies if any of Pa 
conditions are not met 
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Risk graph: Semi Quantitative Parameters 


Parameter Range of Values 


Demand rate (W). The number of times W:= Demand rate less than 0.1 demand 
per year that the hazardous event would | per year 
occur in the absence of the SIS under 


consideration W2= Demand rate between 0.1 demand 


and 1 demand per year 


W3= Demand rates higher than 1 demand 
and 10 demands per year 
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Demand Rates (W) 


Demand rates are generally determined by: 
¢ Control system failure 
¢ Equipment Failure such as pumps, valves, blockage etc 
¢ Human error; 
¢ During abnormal operating conditions e.g. start up; 
¢ Environmental conditions; 


¢ Utility failure e.g. electrical, instrument air, cooling water etc. 


ProSalus Limited Slide 7 - 12 


Copyright ProSalus Limited 2011 6 


Functional Safety Engineering 


— ProSalus Functional Safety Engineering 


Risk Graph: Environmental Impact 


Starting point 
for risk reduction 
estimation 


Generalized arrangement : 

(in practical implementations = 

the arrangement is specific to: 

the applications to be covered ? 
by the risk graph) 


--- = No Safety requirements 


© = Consequence parameter 


a =No special safety requirements 
b =Asingle E/E/PES is not sufficient 


F =not used 


P = Possibility of failing to avoid hazard parameter 


4, 2, 3, 4 = Safety integrity level 


W = Demand rate assuming no protection 
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General environmental consequences 


Consequence (C) A release with minor damage that is] A moderate leak from a flange or valve 
not very severe but is large enough to} Small scale liquid spill 
be reported to plant management Small scale soil pollution without affecting ground 
water 


Release within the fence with A cloud of obnoxious vapour travelling beyond the 
significant damage unit following flange gasket blow-out or compressor 
seal failure 


Release outside the fence with major A vapour or aerosol release with or without liquid 
damage which can be cleaned up fallout that causes temporary damage to plants or 
quickly without significant lasting fauna 

consequences 


Release outside the fence with major Liquid spill into a river or sea 
damage which cannot be cleaned up A vapour or aerosol release with or without liquid 
quickly or with lasting consequences fallout that causes lasting damage to plants or fauna 
Solids fallout ( dust, catalyst, soot, ash) 
Liquid release that could affect groundwater 
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Asset Loss graph 
*The severity of the consequence are calibrated: 
= In terms of Financial loss 


= The financial consequences must be calibrated in terms 
of what would occur if no SIS installed 


= Beware of over extending the financial loss as the leads 


to high SIL values were the SIS would have had no 
impact 
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Risk Graph: Asset Loss 


yo : a — — 


Starting point 


for risk reduction - 1 
estimation 2 
Generalized ma ¢ : 4 
(in practical implementations - 
the arrangement is specific to : {_ 
the applications to be covered = 
by the risk graph) b 
© = Consequence parameter “> = No safety requirements 
F =not used a =No special safety requirements 
P = Possibility of failing to avoid hazard parameter b =Asingle E/E/PES is not sufficient 
W = Demand rate assuming no protection 1, 2, 3, 4 = Safety integrity level 
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General asset consequences (Not in IEC 61511) 


Risk Parameter |_| Classification for Asset in £ 


Consequence (C) a Impact of 100,000 - 1,000,000 
ie Impact of 4,000,000 - 10,000,000 


Ce | Impact of 10,000,000 - 
100,000,000 


Impact of > 100,000,000 
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A credit is an Order of Magnitude (SIL1) 


* Don’ t take credit for the control system when it was the cause of 
the demand 

* Don’ t take credit for the SIS which the SIF under assessment 
forms a part of 


* Don’ t take a credit for frequency of occupancy when there is 
uncertainty in the location of operations / maintenance 


* Don’ t take a credit for avoidance unless all of the criteria can be 
met 


¢ ASIF can protect against more than one hazard, assess each 
hazard in turn and take the worse case SIL 
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The Target Integrity Level 


« The target integrity of a SIF is determined from the highest 
of the three assessment: 


= Safety 
* Environment 
= Asset 
« Target Integrity level = maximum (SIL, EIL, AIL) 


= The SIF must be designed to achieve the highest target 
Integrity Level 
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Boiler Drum with pre-trip alarm and SIS trip Example 


| 

alarm Fe ea ee eg eS 1] Logic Ky 
poem fae Ep 

L 


Boiler Steam 
Drum 
— Feed water 
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Risk Parameters: SIL Classification by Risk Parameters Chart 


C— Extent of Damage 


Cy: Slightinjury 
Cz: Severe irreversible injury to one 
or more persons or death of a 


erson 
C,: Death of several persons 
C5: Catastrophic consequences 
multiple deaths Starting 
s point 
F — Frequency & Exposure time 


F,: Seldom to relatively frequent 
Fe: Frequent to continuous 


P— Hazard Avoidance / Mitigation 


P,: Possible under certain conditions 
P&: Hardly possible 


W — Occurrence Probability 


- = No safety requirements 


a = No special safety requirements 
A: =Asingle is not sufficient 
gh aad b =Asingle E/E/PES i ffici 
W;: Relatively high 1,2,3,4 = Safety integrity level 
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SIL Classification by Risk Parameters Chart: Example 


Risk Parameters: 
C- Extent of Damage 


C- Extent of Damage 

C,: Slight inju 

Ca Savas preveiuible injury to one 
or more persons or death of a 

erson 

C,: Death of several persons 

Cp: Catastrophic consequences 
multiple deaths 


F- reat & Exposure time 
F,: Seldom to relatively frequent 
3: Frequent to continuous 


P — Hazard Avoidance / Mitigation 


P,: Possible under certain conditions 
Pe Hardly possible 


W -— Occurrence Probability - = No safety requirements 
W,: Very low a = No special safety requirements 
W3: Low : ; b =Asingle E/E/PES is not sufficient 
W,: Relatively high 1,2,3,4 = Safety integrity level 


ProSalus Limited Slide 7 - 22 


Copyright ProSalus Limited 2011 11 


Functional Safety Engineering 


ProSalus Functional Safety Engineering 


Practical Exercise No: 3 


Determination of SIL by Risk Graph 
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Flow Ratio High Trip 


weceeeceecacseed Reactor 


Oxidant 
Feed 
Supply Fan 
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Exercise No: 3 - Determination of SIL by Risk Graph 


This practical exercise requires participants to determine the required SIL of a 
proposed safety-instrumented system using the basic principles and risk graphs 
and calibration parameters for safety, environment and asset loss described in 
this module 


The process is a reactor with a continuous feed of fuel and oxidant. Two flow 
control loops are operated under a ratio controller set by the operator to provide 
matching flows of fuel and oxidant to the reactor. An explosive mixture can occur 
within the reactor if the fuel flow becomes too high relative to the oxidant flow. 


Possible causes are: Failures of the BPCS or an Operator error in manipulating 
the controls Sudden loss of oxidant feed. 

A SIS is proposed with a separate set of flow meters connected to a flow ratio 
measuring function that is designed to trip the process to safe condition if the 
fuel flow exceeds the oxidant flow by a significant amount 

The tag number for this function is FFSH- 03 
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Assume that the following information has been decided for the reactor. 


The total frequency of the events leading to an explosive mixture is 
approximately once every ten years. 


The consequence of the explosion has been determined to be a vessel rupture 
causing death or serious injury to 1 person 


The occupancy in the exposed area is less than 10% of the time and is not 
related to the condition of the process. 


The onset of the event is likely to be to be fast with a worst-case time of 10 
minutes between loss of oxidant and the possible explosion. 


The material released from an explosion is not harmful to the environment. 
The reactor will cost in excess of £250, 000 to replace. 

Determine the target SIL= ,EIL= , AIL = 

Determine the overall target integrity for the SIF = 
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Layers of Protection Analysis 


(LOPA) 
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The LO P AN Community Emergency Response 
“Onion” 


ee 


jibe! i= ; 
Safety Instrumented System preventative action 


Plant Design 


| | integrity 
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» What is LOPA 
« Usually developed from HAZOP introduced in 2001 per IEC 61511 
« Assessment usually hazard scenario based (i.e derived from HAZOP) 
« Itis a modified version of ETA usually based on the CCPS simplified 
process risk assessment approach and is considered a semi 
quantitative type analysis. 
= For “Buncefield Type” scenarios (Storage Tanks) are more Quantitive 
approach is required 
For IEC 61511 analyses each hazard cause / consequence pair were 
a SIF has been identified as a safe guard during HAZOP 
Can be applied to general PRA without SIF assessment 
Requires Tolerability Risk Criteria to be established for site under 
assessment 
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IEC 61511 - Mapping HAZOP Data to LOPA Data 


LOPA REQUIRED HAZOP DEVELOPED 
INFORMATION INFORMATION 


Initiating Cause 
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The LOPA Process: 
1. Define the unwanted Impact 
Determine and list all of the initiating events 


Determine and list all of the layers of protection 


2 

3 

4. Quantify the frequency of the initiating events 

5. Quantify the effectiveness of the layers of protection 
6 


Calculate the resultant frequency of the unwanted impact 
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LOPA Worksheet 


a 
ewtyarand (3 [inatngcawse || 

ce 
a 
== 
a 


Pass 
a 
es 

EE 
es 


Protection & 
Mitigation 
Layers 
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How LOPA works 


Example 
Risk Tolerance Criteria (freq.) 10°’ 
Initiating Event Frequency 10°" 
ma = Conditional Modifier (Ignition Frequency) 10-1 
—==p PFD of 1st IPL (BPCS) 10-1 
———> PFD of 2nd IPL (Mechanical PRV) 10-2 
——_> SIL (1-3) for SIS, 10°? 


SIS Required. SIL = 10-7/(10-*10-*10-'*10-2) = 10 
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IEC 61511 Part 3 Annex F.4 Severity Levels 


Table F.2 Impact event severity levels 


Severity Level Consequence 


Minor (M) Impact initially limited to local area of event with potential 
for broader consequence, if corrective action not taken 


Serious (S) Impact event could cause serious injury or fatality on site 
or offsite 
Extensive (E) Impact event that is five or more severe times than a 


serious event 
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Example Personnel Risk Tolerance Criteria 


Maximum 
Frequency of 
Mitigated Event 
Likelihood/yr 


Minor (Ms) Serious injury to employee (probability of death <10%) 1x 10% 


Potential loss of life of one or more employees 
; (probability of death > 10%). = 
Serious (Ss) ; ma ; _ 1x10 
Serious injury to member of public (probability of 


death <10%) 


Defined Severity 


Level Safety Consequence Descriptors 


Potential loss of life of many employees (greater than 
; 3 and up to 10) rs 
Extensive (Es) ; ; 1x10 
Potential loss of life of one or more members of the 
public (probability of death >10%) 


Catastrophic (Cs) Potential loss of life of many people (10 — 100) Use QRA 
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Example Environmental Risk Tolerance Criteria 


Maximum 
Frequency of 
Mitigated Event 
Likelihood/yr 


NOTICEABLE — On site reportable — A release with 
. minor damage that is not very severe, but is large oa 

Minor (Ms) enough to be reported to plant management 3x10 
SIGNIFICANT — On site short term — A release within 

Serious (Ss) the site boundary or process building with significant 3x10* 
damage 
SEVERE — A release outside the boundary with major 

Extensive (Es) damage, which can be cleaned up readily, with no 3x10° 
significant lasting consequences, 
MAJOR TO CATASTROPHIC — Widespread long 

Catastrophic (Cs) | term — Release from outside the fence with major 3x 10° 
damage and lasting consequences 
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Commercial Risk Tolerance Criteria 


Commercial Consequence Descriptors 
Defined Severity i P CBA Based on 
Level (total of: Asset loss, Product Loss, Production Incident 


downtime loss & Rebuild Cost) Frequency/year 
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Impact Event Description & Initiating Cause 


» The HAZOP is reviewed to identify all cause / consequence 
pairs which have a SIF included in the safeguards for the hazard 
scenario 


« The Impact event description is the HAZOP Consequence for 
the hazard scenario under review 


« Initiating Cause description is the HAZOP Cause for the hazard 
scenario under review 


» These two descriptions are entered into the LOPA record sheet 
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Step 2 — Example Initiating events - (e.g. cause from HAZOP) 


Based on control system failure 


Failure to regulate 


Spurious operation of safety valve 


Major internal leakage/tube failure within a shell and 0.01 Selected frequency assumes that 
tube heat exchanger . exchanger is inspected annually 
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Use Conditional Modifiers 


« Use of conditional modifiers can be contentious they must 
be specific to the site under assessment and require to be 
determined by analysis. Typical conditional modifiers are: 


" Probability of ignition 


" Probability of exposure 
= Probability of Injury 
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Step 4 Identification of IPLs 


« Identify BPCS protective function, If any 


« List any Alarms and the operator response (written procedure 


required) 
= Record qualifying pressure relief devices 
= Document Other Safety Related Systems 
=» Management Practices 
*" Human Actions 
« Machine Protection Systems 
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General Rule of Independence 


To be Independent, a layer of protection shall 
prevent an unsafe scenario from progressing 


regardless of the initiating event or the 
performance of another layer of protection. 


Given events A and B, A is independent of B if, and only if, the probability 
of A is unchanged by the occurrence of B. 


Two events (A and B) are independent if the probability that they both 


occur is the product of their separate probabilities: P(A and B) = P(A) * 
P(B). 
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Independent Protection Layers Credit Factor Table 
Independent Protection Layer PFDs Notes 

Pressure Relief Device 1.E-02 
sis = Sit TE-OT Credits are zero (0) if 
SiS -SIL3 1E-03 unrestricted change allowed 
BPCS, when independent of initiating event 1.E-01 Credits are zero (0) if 


unrestricted change allowed 


Value chosen depends on 
1E-1 to 1E-2 verification by vendor and 
testing frequency. 


Internal mechanical safety trips that are independent of the SIS 
or BPCS 


Operator response under high stress, average training 5.E-01 


Operator response to Alarms and procedures, low stress, 


recognized event E04 

Operator response to Alarms and procedures, low stress, 1.E-02 

recognized event with more than 24 hours to resolve problem 

Enclosure with an elevated stack. 1.E-01 

Enclosure with attached mitigation device such as a scrubber or 1.E-02 

THROX. 

Containment Building capable of withstanding any credible 1.E-03 

release. 

Restricted Access where consequence is limited to the 4.E-01 

restricted area. 

Dikes when capable of mitigating the initiating event. This is an 1.E-02 

IPL only for environmental events. : 

Other safety related protection systems 1.E-01 to 1.E-03 
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Basic Rules for BPCS and Alarms 


If a BPCS (whole loop) is an IE, no credit is taken for the BPCS or Alarm IPL unless they are independent systems. 


If BPCS and Alarm IPLs use the same sensor, you can take credit for one IPL only. 


The Alarm IPL requires a formally recorded and auditable operator action to prevent the scenario. 


If a sensor failure is the IE, BPCS and Alarm IPL are not valid credits if they require the failed sensor to function. 


If a final element failure is the IE, BPCS and Operator action on Alarm IPL are not valid credits if they require the 
failed final element to function. 


If a BPCS logic solver is an IE, no credit is taken for the BPCS or Alarm IPL, unless they are independent systems 


If an Alarm is an IPL, the operator must have time to prevent the scenario. No credit shall be taken if the operator 
has less than 10 minutes to respond. May be able to take credit if this is a recognized case in the Emergency 
Response plan. 


Maximum of only one (1) BPCS and one (1) Alarm IPL credit are allowed for a case. 


Sharing of BPCS and SIS elements may be allowed when there is evidence of adequate independence. (see rules 
for sharing SIS elements by the BPCS) 
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Step 5 - Mitigation 


» Relief devices 

» Flares 

» Containment 

» Other Safety Related Protection Systems 


Then go on to consider Safety Instrumented Systems 
if you still have protection gaps 
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Rules for Pressure Relief Devices 


—_ 


The Pressure Relief Device either protects or it doesn’ t. 

Partial credit is not allowed. 

If the Pressure Relief Device discharges to the atmosphere 

creating a 2nd hazard (to people, the environment or 

equipment), no credit is allowed. If the release to the 

atmosphere has an acceptable risk, credit may be taken 

3 Ifthe Pressure Relief Device discharges to a flare, tank, or 
scrubber, credit is taken 

4 This is not a tool for deciding “No Overpressure Protection 

Device Needed”. 


NO 
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Step 6 address SIS Requirements 


List Safety Instrumented Functions if required. 


The SIL of the SIF is the numerical value needed 
to “Close the Gap”. 
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Basic Rules for SIS 


1 SIS entries are considered last and then only if necessary to close the protection gap 
2 A non-zero, positive value in the Protection Gap column indicates a SIS is needed. 

3 The required SIL of the SIS is the value which closes the Protection Gap 
4 


A SIL value greater than 3 should not be allowed. Additional non-SIS IPL’ s are 
required. - or there is something wrong with the process 


5 A zero or negative value in the Protection Gap column indicates a SIS is not needed. 
6 A SIS with a SIL of 2 or 3 can be replaced with a combination of lower SIL provided 
they are independent from each other. 
SIL1+SIL1=SIL2; SIL1+SIL2=SIL3 


7 Two (2) SIS IPL’s used in the same case require separate sensors, logic solver and 
final element. Independent paths through the same SIS logic solver must be used. 
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Step 7 


= Completely document scenario, Initiating 
event, IPLs. Justify and address 
Uncertainties and Sensitivities. 


= Document the SIS requirements AND the 
requirements for the other Mitigation 
Systems 
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Example 


Determination of SIL by LOPA 
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Example - Determination of SIL by LOPA 


This practical exercise requires participants to determine the required 
SIL of a proposed safety-instrumented system using the basic 
principles and LOPA parameters described in this module 


A Tank Overfill hazard has identified by the HAZOP team, two causes 
have been identified: 


¢ Pump failure: 2.0 per year 
¢ Level Control Failure: 0.1 per year 


Determine the required target SIL for personnel safety of the High 
Level Shut Off to the tank if the tolerable risk for the hazard is 1.0E-05 
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Doi Se eee oe, al SIS Logic 


® 
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LOPA Worksheet for Pump Scenario 


a Es dla Event es of Tank 
paeaonae Ping cass [Pein | 
protection are nitiating Cause Pump failure 

PFD Average nitiation Likelihood Ee aa 


Mitigation 
Layers 


NC 
Fn 
eC a a 
a 

a 
[Tit Preeiigasttentiahes [meas 
a 


Protection & 
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LOPA Worksheet for Level Control Scenario 


[ree Toren 
se 
s [asitorsigsontnd [os 
eS 
ec 
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CO a 


Protection & 
Mitigation 
Layers 
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Practical Exercise No: 4 


Determination of SIL by LOPA 
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ProSalus Functional Safety Engineering 
Exercise No: 4 - Determination of SIL by LOPA 


This practical exercise requires participants to determine the 
required SIL of a proposed SIS using the basic principles and 
LOPA parameters described in this module 


Liquid is transferred manually to a holding tank before delivery to 
the plant, the operator must stop the pump at 75% Tank Level. 


A Tank Over pressurisation hazard has been identified by the 
HAZOP team, two causes have been identified: 


¢ Operator fails to stop pump : 0.1 per year 

¢ Level Control Failure: 0.1 per year 
Determine the required target SIL for personnel safety of the High 
Pressure Vent SIF to Flare 
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Exercise No: 4 - Determination of SIL by LOPA 


The tolerable risk for the hazard is 1.0E-05 


The Holding tank has a relief valve installed which is sized for full 
flow and vented to Flare 


The process design is not considered to be fit for purpose 
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Flare 


A 


Operator Stops 
4 EE} oe Pump at required 


level 
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LOPA Worksheet 
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SIL Determination 
For 
Fire and Gas Systems 
ISA-TR84.00.07 
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Relationship Between Protection Functions 
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SIPF verses SIMF 


= FGS detect loss of containment by directly measuring the presence of the 
released material (gas concentration) or effects of their release (thermal 
radiation) to initiate mitigative actions such as: 


« Plant evacuation alarm 

= Deluge systems 

= Fire water or spray systems 
« Water curtains 


« Instrument functions detect changes in process conditions without a LOC and 
take preventative actions to eliminate the consequence from occurring 
= IEC 61511 is based on the concept that the SIF eliminates the consequence 


and this is why the use of performance based design methodologies for SIMF 
are not currently the norm in the process industries 
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Assessing Fire and Gas Systems (FGS) 


« FGS design can be implemented using a 


= Prescriptive approach using national consensus standards, 
codes, and / or industry guidelines. (NFPA 72) 

« Risk-based approach, including the concept of designing to a 
targeted performance level, with an associated integrity and an 
acceptably-low probability of failure on demand 


=" However, it is difficult to apply the IEC 61511 lifecycle approach in 
practice due to the following three factors. 
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Factors affecting FGS Assessment 


=" Factor 1 - IEC 61511 techniques are suited for specific hazards that can be 
adequately defined using HAZOP and LOPA as an input to the risk 
assessment process. FGS reduce the risk of general hazards (e.g., leaks 
from a variety of equipment), and these hazards are difficult to define and 
analyze with precision without using more-advanced risk analysis 
techniques, such as gas dispersion modeling or fire modeling 


" Factor 2 - FGS do not prevent a hazardous condition, but — rather — they 
mitigate the effects of the hazard. The FGS system typically reduces the 
magnitude and severity of a hazard instead of completely eliminating it which 
is a requirement of IEC61511 
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Factors affecting FGS Assessment 


Factor 3 - In addition to failure of components that could render the system 
unavailable, a significant cause of FGS ineffectiveness is due to inadequate 
positioning of FGS sensors to detect the hazardous condition. Even if very high 
SIL targets can be achieved in FGS design and testing (in terms of low 
average probability of failure on demand of the instrumented function), 
sufficient reduction in risk will not occur unless detector placement and 
coverage is very high. 


Therefore, the detector placement and coverage problem requires study 
with the same quantitative rigor as average probability of failure on demand. 
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Factors affecting FGS Assessment - Final Elements 


Another significant cause of FGS ineffectiveness is due to the incapability of the 
mitigation final elements (e.g. fire water system, foam deluge, water curtain, 
ventilation system) to perform their function with a high probability of success. 


Effectiveness of the mitigation function is dependent on: 
= stopping the process and removing the hazardous material 
"applying fire water with the appropriate flow and spray characteristics 


= Initiating alarms to enable personnel to get to safety 
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ISA-dTR84.00.07 Performance-based FGS Analysis Procedure 


Qa) Screen to determine if FGS function is required and define control volumes 
(2) Identify Risk Scenarios 
(3) Analyze Consequences 


Assess Detector Coverage 
(8) Assess FGS Safetv Availabilitv 
(io) Mitiaated Risk Assessment 


(11) Modifv FGS Svstem Desian 
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Conclusions on FGS Assessment 


=" FGS assessment requires advanced techniques for analysis not normally 
considered part of the C&l Function more related to Process Safety / 
Technical Safety Function and covered by the QRA 


= Significant cause of FGS ineffectiveness is inadequate positioning of 
detectors and final elements and only calculating the PFD of the system 
components is not rigorous enough 


= RRF only achieved if detector placement & coverage is high 
= RRF is also dependent of capability of Final Element (Fire water etc) 
= SIL is insufficient to properly define the design basis for FGS SIF 


= Design basis based on performance criteria — 
Percentage Detector Coverage 
Percentage Mitigation Effectiveness 


= Remember relevant standards must be applied (e. g. EN 54 / NFPA 72) 
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